This decision illustrates the concrete protection provided to an individual with regard to their health data, which are highly sensitive (86% of French people describe them as such, see The French and digital health, Toluna Harri Interactive survey for the Ministry of Labor, Health and Solidarity, February 5, 2024) and are subject to numerous violations as evidenced by various cyberattacks (e.g., against third-party payment managers). According to a report established by the CNILbetween May 2018 and May 2023, 11.8% of the notifications it received related to human health and social action, which can be explained by the proliferation of digital health tools and services: teleconsultation, connected objects, My health space, Health Data Hubetc. The processing of health data therefore requires particular vigilance, a particularly topical issue with the Health Data Hub. Created in France in 2019 to store and make available health data for research purposes, it is strongly criticized – despite the approval by the CNIL of the possibility of hosting part of this data. via the EMC2 platform (CNIL Deliberation, No. 2023-146, 21 Dec. 2023) – due to the identity of its host: Microsoft. The latter’s US nationality subjects the platform to US law with the fear that intelligence services may access the data.
Clarification on the difference between pseudonymity and anonymity of data
Importance of the distinction
